From f07bbfa1743679059c8169f6843764b25f9c0369 Mon Sep 17 00:00:00 2001 From: Pierre Goiffon Date: Wed, 18 Apr 2018 06:57:38 +0000 Subject: [PATCH] =?UTF-8?q?N=C2=B01260=20MySQL=20TLS=20connection=20:=20ch?= =?UTF-8?q?ange=20parameters=20to=20only=20enable=20checkbox=20+=20CA=20(r?= =?UTF-8?q?emove=20client=20key,=20client=20cert,=20cappath,=20cipher)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SVN:trunk[5682] --- core/cmdbsource.class.inc.php | 99 +++++-------- core/config.class.inc.php | 67 +++------ core/mutex.class.inc.php | 27 ++-- setup/applicationinstaller.class.inc.php | 5 +- setup/backup.class.inc.php | 22 ++- setup/setuputils.class.inc.php | 172 +++++++++-------------- setup/wizardsteps.class.inc.php | 54 +++---- test/setup/DBBackupTest.php | 13 +- 8 files changed, 158 insertions(+), 301 deletions(-) diff --git a/core/cmdbsource.class.inc.php b/core/cmdbsource.class.inc.php index 9a0065c2f..26a368207 100644 --- a/core/cmdbsource.class.inc.php +++ b/core/cmdbsource.class.inc.php @@ -122,12 +122,22 @@ class CMDBSource protected static $m_sDBUser; protected static $m_sDBPwd; protected static $m_sDBName; - protected static $m_sDBTlsKey; - protected static $m_sDBTlsCert; + /** + * @var boolean + * @since 2.5 #1260 MySQL TLS first implementation + */ + protected static $m_bDBTlsEnabled; + /** + * @var string + * @since 2.5 #1260 MySQL TLS first implementation + */ protected static $m_sDBTlsCA; - protected static $m_sDBTlsCaPath; - protected static $m_sDBTlsCipher; + /** + * @var boolean + * @since 2.5 #1260 MySQL TLS first implementation + */ protected static $m_bDBTlsVerifyServerCert; + /** @var mysqli $m_oMysqli */ protected static $m_oMysqli; @@ -144,15 +154,11 @@ class CMDBSource $sUser = $oConfig->Get('db_user'); $sPwd = $oConfig->Get('db_pwd'); $sSource = $oConfig->Get('db_name'); - $sTlsKey = $oConfig->Get('db_tls.key'); - $sTlsCert = $oConfig->Get('db_tls.cert'); + $bTlsEnabled = $oConfig->Get('db_tls.enabled'); $sTlsCA = $oConfig->Get('db_tls.ca'); - $sTlsCaPath = $oConfig->Get('db_tls.capath'); - $sTlsCipher = $oConfig->Get('db_tls.cipher'); $sTlsVerifyServerCert = $oConfig->Get('db_tls.verify_server_cert'); - self::Init($sServer, $sUser, $sPwd, $sSource, $sTlsKey, $sTlsCert, $sTlsCA, $sTlsCaPath, $sTlsCipher, - $sTlsVerifyServerCert); + self::Init($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA, $sTlsVerifyServerCert); $sCharacterSet = DEFAULT_CHARACTER_SET; $sCollation = DEFAULT_COLLATION; @@ -164,61 +170,50 @@ class CMDBSource * @param string $sUser * @param string $sPwd * @param string $sSource database to use - * @param string $sTlsKey - * @param string $sTlsCert + * @param bool $bTlsEnabled * @param string $sTlsCA - * @param string $sTlsCaPath - * @param string $sTlsCipher * @param bool $sTlsVerifyServerCert * * @throws \MySQLException */ public static function Init( - $sServer, $sUser, $sPwd, $sSource = '', $sTlsKey = null, $sTlsCert = null, $sTlsCA = null, $sTlsCaPath = null, - $sTlsCipher = null, $sTlsVerifyServerCert = false + $sServer, $sUser, $sPwd, $sSource = '', $bTlsEnabled = false, $sTlsCA = null, $sTlsVerifyServerCert = false ) { self::$m_sDBHost = $sServer; self::$m_sDBUser = $sUser; self::$m_sDBPwd = $sPwd; self::$m_sDBName = $sSource; - self::$m_sDBTlsKey = empty($sTlsKey) ? null : $sTlsKey; - self::$m_sDBTlsCert = empty($sTlsCert) ? null : $sTlsCert; + self::$m_bDBTlsEnabled = empty($bTlsEnabled) ? false : $bTlsEnabled; self::$m_sDBTlsCA = empty($sTlsCA) ? null : $sTlsCA; - self::$m_sDBTlsCaPath = empty($sTlsCaPath) ? null : $sTlsCaPath; - self::$m_sDBTlsCipher = empty($sTlsCipher) ? null : $sTlsCipher; self::$m_bDBTlsVerifyServerCert = empty($sTlsVerifyServerCert) ? null : $sTlsVerifyServerCert; - self::$m_oMysqli = self::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $sTlsKey, $sTlsCert, $sTlsCA, - $sTlsCaPath, $sTlsCipher, true, $sTlsVerifyServerCert); + self::$m_oMysqli = self::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA, true, + $sTlsVerifyServerCert); } /** - * @param string $sServer + * @param string $sDbHost * @param string $sUser * @param string $sPwd * @param string $sSource database to use - * @param string $sTlsKey - * @param string $sTlsCert + * @param bool $bTlsEnabled * @param string $sTlsCa - * @param string $sTlsCaPath - * @param string $sTlsCipher - * @param bool $bCheckTlsAfterConnection - * @param bool $bVerifyTlsServerCert Change the TLS flag used to connect : MYSQLI_CLIENT_SSL if true, MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT if false (default) + * @param bool $bCheckTlsAfterConnection If true then verify after connection if it is encrypted + * @param bool $bVerifyTlsServerCert If true then verify server certificate when connecting * * @return \mysqli * @throws \MySQLException */ public static function GetMysqliInstance( - $sServer, $sUser, $sPwd, $sSource = '', $sTlsKey = null, $sTlsCert = null, $sTlsCa = null, $sTlsCaPath = null, - $sTlsCipher = null, $bCheckTlsAfterConnection = false, $bVerifyTlsServerCert = false + $sDbHost, $sUser, $sPwd, $sSource = '', $bTlsEnabled = false, $sTlsCa = null, $bCheckTlsAfterConnection = false, + $bVerifyTlsServerCert = false ) { $oMysqli = null; $sServer = null; $iPort = null; - $bTlsEnabled = self::IsDbConnectionUsingTls($sTlsKey, $sTlsCert, $sTlsCa); - self::InitServerAndPort(self::$m_sDBHost, $sServer, $iPort); + self::InitServerAndPort($sDbHost, $sServer, $iPort); $iFlags = null; @@ -236,18 +231,20 @@ class CMDBSource $iFlags = ($bVerifyTlsServerCert) ? MYSQLI_CLIENT_SSL : MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT; - $oMysqli->ssl_set($sTlsKey, $sTlsCert, $sTlsCa, $sTlsCaPath, $sTlsCipher); + $sTlsCert = null; // not implemented + $sTlsCaPath = null; // not implemented + $sTlsCipher = null; // not implemented + $oMysqli->ssl_set($bTlsEnabled, $sTlsCert, $sTlsCa, $sTlsCaPath, $sTlsCipher); } - $oMysqli->real_connect($sServer, $sUser, $sPwd, '', $iPort, - ini_get("mysqli.default_socket"), $iFlags); + $oMysqli->real_connect($sServer, $sUser, $sPwd, '', $iPort, ini_get("mysqli.default_socket"), $iFlags); } catch(mysqli_sql_exception $e) { throw new MySQLException('Could not connect to the DB server', array('host' => $sServer, 'user' => $sUser), $e); } - if ($bCheckTlsAfterConnection - && self::IsDbConnectionUsingTls($sTlsKey, $sTlsCert, $sTlsCa) + if ($bTlsEnabled + && $bCheckTlsAfterConnection && !self::IsOpenedDbConnectionUsingTls($oMysqli)) { throw new MySQLException("Connection to the database is not encrypted whereas it was opened using TLS parameters", @@ -307,32 +304,6 @@ class CMDBSource } } - /** - * @param \Config $oConfig - * - * @return boolean - */ - public static function IsDbConnectionInConfigUsingTls($oConfig) - { - $sTlsKey = $oConfig->Get('db_tls.key'); - $sTlsCert = $oConfig->Get('db_tls.cert'); - $sTlsCA = $oConfig->Get('db_tls.ca'); - - return self::IsDbConnectionUsingTls($sTlsKey, $sTlsCert, $sTlsCA); - } - - /** - * @param string $sTlsKey - * @param string $sTlsCert - * @param string $sTlsCA - * - * @return bool - */ - public static function IsDbConnectionUsingTls($sTlsKey, $sTlsCert, $sTlsCA) - { - return (!empty($sTlsKey) && !empty($sTlsCert) && !empty($sTlsCA)); - } - /** *

A DB connection can be opened transparently (no errors thrown) without being encrypted, whereas the TLS * parameters were used.
diff --git a/core/config.class.inc.php b/core/config.class.inc.php index 9ef9935af..83cbd795c 100644 --- a/core/config.class.inc.php +++ b/core/config.class.inc.php @@ -150,19 +150,11 @@ class Config 'source_of_value' => '', 'show_in_conf_sample' => true, ), - 'db_tls.key' => array( - 'type' => 'string', - 'description' => 'Path to client key file for SSL', - 'default' => null, - 'value' => '', - 'source_of_value' => '', - 'show_in_conf_sample' => false, - ), - 'db_tls.cert' => array( - 'type' => 'string', - 'description' => 'Path to client certificate file for SSL', - 'default' => null, - 'value' => '', + 'db_tls.enabled' => array( + 'type' => 'bool', + 'description' => 'If true then the connection to the DB will be encrypted', + 'default' => false, + 'value' => false, 'source_of_value' => '', 'show_in_conf_sample' => false, ), @@ -174,27 +166,11 @@ class Config 'source_of_value' => '', 'show_in_conf_sample' => false, ), - 'db_tls.capath' => array( - 'type' => 'string', - 'description' => 'Path to a directory that contains trusted SSL CA certificates in PEM format', - 'default' => null, - 'value' => '', - 'source_of_value' => '', - 'show_in_conf_sample' => false, - ), - 'db_tls.cipher' => array( - 'type' => 'string', - 'description' => 'Optional : separated list of permissible cyphers to use for SSL encryption', - 'default' => null, - 'value' => '', - 'source_of_value' => '', - 'show_in_conf_sample' => false, - ), 'db_tls.verify_server_cert' => array( 'type' => 'bool', 'description' => 'Change the TLS flag used to connect : MYSQLI_CLIENT_SSL if true, MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT if false (default)', 'default' => false, - 'value' => '', + 'value' => false, 'source_of_value' => '', 'show_in_conf_sample' => false, ), @@ -1908,30 +1884,23 @@ class Config } $this->Set('db_name', $sDBName); $this->Set('db_subname', $aParamValues['db_prefix']); - $sDbTlsKey = $aParamValues['db_tls_key']; - if (isset($sDbTlsKey) && !empty($sDbTlsKey)) + + $bDbTlsEnabled = (bool) $aParamValues['db_tls_enabled']; + if ($bDbTlsEnabled) { - $this->Set('db_tls.key', $sDbTlsKey, 'UpdateFromParams'); + $this->Set('db_tls.enabled', $bDbTlsEnabled, 'UpdateFromParams'); } - $sDbTlsCert = $aParamValues['db_tls_cert']; - if (isset($sDbTlsCert) && !empty($sDbTlsCert)) + else { - $this->Set('db_tls.cert', $sDbTlsCert, 'UpdateFromParams'); + // disabled : we don't want parameter in the file + $this->Set('db_tls.enabled', $bDbTlsEnabled, null); } - $sDbTlsCa = $aParamValues['db_tls_ca']; - if (isset($sDbTlsCa) && !empty($sDbTlsCa)) - { + $sDbTlsCa = $bDbTlsEnabled ? $aParamValues['db_tls_ca'] : null; + if (isset($sDbTlsCa) && !empty($sDbTlsCa)) { $this->Set('db_tls.ca', $sDbTlsCa, 'UpdateFromParams'); - } - $sDbTlsCaPath = $aParamValues['db_tls_capath']; - if (isset($sDbTlsCaPath) && !empty($sDbTlsCaPath)) - { - $this->Set('db_tls.capath', $sDbTlsCaPath, 'UpdateFromParams'); - } - $sDbTlsCipher = $aParamValues['db_tls_cipher']; - if (isset($sDbTlsCipher) && !empty($sDbTlsCipher)) - { - $this->Set('db_tls.cipher', $sDbTlsCipher, 'UpdateFromParams'); + } else { + // empty parameter : we don't want it in the file + $this->Set('db_tls.ca', null, null); } } diff --git a/core/mutex.class.inc.php b/core/mutex.class.inc.php index 7d2c3fff9..8e7951c49 100644 --- a/core/mutex.class.inc.php +++ b/core/mutex.class.inc.php @@ -40,17 +40,14 @@ class iTopMutex protected $sDBPwd; protected $sDBName; protected $sDBSubname; - protected $sDBTlsKey; - protected $sDBTlsCert; + protected $bDBTlsEnabled; protected $sDBTlsCA; - protected $sDBTlsCaPath; - protected $sDBTlsCipher; protected $bDBTlsVerifyServerCert; static protected $aAcquiredLocks = array(); // Number of instances of the Mutex, having the lock, in this page public function __construct( - $sName, $sDBHost = null, $sDBUser = null, $sDBPwd = null, $sDBTlsKey = null, $sDBTlsCert = null, - $sDBTlsCA = null, $sDBTlsCaPath = null, $sDBTlsCypher = null, $bDBTlsVerifyServerCert = null + $sName, $sDBHost = null, $sDBUser = null, $sDBPwd = null, $bDBTlsEnabled = false, $sDBTlsCA = null, + $bDBTlsVerifyServerCert = null ) { // Compute the name of a lock for mysql @@ -66,11 +63,8 @@ class iTopMutex $this->sDBName = $oConfig->Get('db_name'); $sDBSubname = $oConfig->Get('db_subname'); - $this->sDBTlsKey = is_null($sDBTlsKey) ? $oConfig->Get('db_tls.key') : $sDBTlsKey; - $this->sDBTlsCert = is_null($sDBTlsCert) ? $oConfig->Get('db_tls.cert') : $sDBTlsCert; + $this->bDBTlsEnabled = is_null($bDBTlsEnabled) ? $oConfig->Get('db_tls.enabled') : $bDBTlsEnabled; $this->sDBTlsCA = is_null($sDBTlsCA) ? $oConfig->Get('db_tls.ca') : $sDBTlsCA; - $this->sDBTlsCaPath = is_null($sDBTlsCaPath) ? $oConfig->Get('db_tls.capath') : $sDBTlsCaPath; - $this->sDBTlsCipher = is_null($sDBTlsCypher) ? $oConfig->Get('db_tls.cipher') : $sDBTlsCypher; $this->bDBTlsVerifyServerCert = is_null($bDBTlsVerifyServerCert) ? $oConfig->Get('db_tls.verify_server_cert') : $bDBTlsVerifyServerCert; $this->sName = $sName; @@ -228,7 +222,7 @@ class iTopMutex } /** - * Initialiaze database connection. Mandatory attributes must be already set ! + * Initialize database connection. Mandatory attributes must be already set ! * * @throws \Exception * @throws \MySQLException @@ -239,17 +233,12 @@ class iTopMutex $sUser = $this->sDBUser; $sPwd = $this->sDBPwd; $sSource = $this->sDBName; - $sTlsKey = $this->sDBTlsKey; - $sTlsCert = $this->sDBTlsCert; + $bTlsEnabled = $this->bDBTlsEnabled; $sTlsCA = $this->sDBTlsCA; - $sTlsCaPath = $this->sDBTlsCaPath; - $sTlsCipher = $this->sDBTlsCipher; $bTlsVerifyServerCert = $this->bDBTlsVerifyServerCert; - $bDBTlsVerifyServerCert = $this->bDBTlsVerifyServerCert; - $this->hDBLink = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, - $sTlsKey, $sTlsCert, $sTlsCA, $sTlsCaPath, $sTlsCipher, - $bTlsVerifyServerCert, $bDBTlsVerifyServerCert); + $this->hDBLink = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $bTlsEnabled, $sTlsCA, + false, $bTlsVerifyServerCert); if (!$this->hDBLink) { diff --git a/setup/applicationinstaller.class.inc.php b/setup/applicationinstaller.class.inc.php index 2db16dfd0..810e7249d 100644 --- a/setup/applicationinstaller.class.inc.php +++ b/setup/applicationinstaller.class.inc.php @@ -384,11 +384,8 @@ class ApplicationInstaller 'db_name' => $aDBParams['name'], 'new_db_name' => $aDBParams['name'], 'db_prefix' => $aDBParams['prefix'], - 'db_tls_key' => $aDBParams['db_tls_key'], - 'db_tls_cert' => $aDBParams['db_tls_cert'], + 'db_tls_enabled' => $aDBParams['db_tls_enabled'], 'db_tls_ca' => $aDBParams['db_tls_ca'], - 'db_tls_capath' => $aDBParams['db_tls_capath'], - 'db_tls_cipher' => $aDBParams['db_tls_cipher'], 'application_path' => $oParams->Get('url', ''), 'language' => $oParams->Get('language', ''), 'graphviz_path' => $oParams->Get('graphviz_path', ''), diff --git a/setup/backup.class.inc.php b/setup/backup.class.inc.php index 85133f184..c516b0545 100644 --- a/setup/backup.class.inc.php +++ b/setup/backup.class.inc.php @@ -550,18 +550,14 @@ if (class_exists('ZipArchive')) // The setup must be able to start even if the " $sUser = $oConfig->Get('db_user'); $sPwd = $oConfig->Get('db_pwd'); $sSource = $oConfig->Get('db_name'); - $sTlsKey = $oConfig->Get('db_tls.key'); - $sTlsCert = $oConfig->Get('db_tls.cert'); + $sTlsEnabled = $oConfig->Get('db_tls.enabled'); $sTlsCA = $oConfig->Get('db_tls.ca'); - $sTlsCaPath = $oConfig->Get('db_tls.capath'); - $sTlsCipher = $oConfig->Get('db_tls.cipher'); $bTlsVerifyServerCert = $oConfig->Get('db_tls.verify_server_cert'); try { - $oMysqli = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, - $sTlsKey, $sTlsCert, $sTlsCA, $sTlsCaPath, $sTlsCipher, - false, $bTlsVerifyServerCert); + $oMysqli = CMDBSource::GetMysqliInstance($sServer, $sUser, $sPwd, $sSource, $sTlsEnabled, $sTlsCA, false, + $bTlsVerifyServerCert); if ($oMysqli->connect_errno) { @@ -621,7 +617,8 @@ if (class_exists('ZipArchive')) // The setup must be able to start even if the " */ public static function GetMysqlCliTlsOptions($oConfig) { - if (!CMDBSource::IsDbConnectionInConfigUsingTls($oConfig)) + $bDbTlsEnabled = $oConfig->Get('db_tls.enabled'); + if (!$bDbTlsEnabled) { return ''; } @@ -629,12 +626,13 @@ if (class_exists('ZipArchive')) // The setup must be able to start even if the " $sTlsOptions = ''; $sTlsOptions .= ' --ssl'; - $sTlsOptions .= self::GetMysqliCliSingleOption('ssl-key', $oConfig->Get('db_tls.key')); - $sTlsOptions .= self::GetMysqliCliSingleOption('ssl-cert', $oConfig->Get('db_tls.cert')); + // ssl-key parameter : not implemented + // ssl-cert parameter : not implemented + $sTlsOptions .= self::GetMysqliCliSingleOption('ssl-ca', $oConfig->Get('db_tls.ca')); - $sTlsOptions .= self::GetMysqliCliSingleOption('ssl-cipher', $oConfig->Get('db_tls.cipher')); - $sTlsOptions .= self::GetMysqliCliSingleOption('ssl-capath', $oConfig->Get('db_tls.capath')); + // ssl-cipher parameter : not implemented + // ssl-capath parameter : not implemented return $sTlsOptions; } diff --git a/setup/setuputils.class.inc.php b/setup/setuputils.class.inc.php index 781cc7611..66947c4a9 100644 --- a/setup/setuputils.class.inc.php +++ b/setup/setuputils.class.inc.php @@ -845,11 +845,8 @@ class SetupUtils 'db_pwd' => $oPrevConf->Get('db_pwd'), 'db_name' => $oPrevConf->Get('db_name'), 'db_prefix' => $oPrevConf->Get('db_subname'), - 'db_tls_key' => $oPrevConf->Get('db_tls.key'), - 'db_tls_cert' => $oPrevConf->Get('db_tls.cert'), + 'db_tls_enabled' => $oPrevConf->Get('db_tls.enabled'), 'db_tls_ca' => $oPrevConf->Get('db_tls.ca'), - 'db_tls_capath' => $oPrevConf->Get('db_tls.capath'), - 'db_tls_cipher' => $oPrevConf->Get('db_tls.cipher'), 'graphviz_path' => $oPrevConf->Get('graphviz_path'), ); } @@ -890,16 +887,13 @@ class SetupUtils * @param string $sDBPwd * @param string $sDBName * @param string $sDBPrefix - * @param string $sTlsKey - * @param string $sTlsCert + * @param string $bTlsEnabled * @param string $sTlsCA - * @param string $sTlsCaPath - * @param string $sTlsCypher * @param string $sNewDBName */ static function DisplayDBParameters( - $oPage, $bAllowDBCreation, $sDBServer, $sDBUser, $sDBPwd, $sDBName, $sDBPrefix, $sTlsKey, $sTlsCert, $sTlsCA, - $sTlsCaPath, $sTlsCypher, $sNewDBName = '' + $oPage, $bAllowDBCreation, $sDBServer, $sDBUser, $sDBPwd, $sDBName, $sDBPrefix, $bTlsEnabled, $sTlsCA, + $sNewDBName = '' ) { $oPage->add(''); $oPage->add('

Database Server Connection'); @@ -913,29 +907,16 @@ class SetupUtils $oPage->add(''); //-- TLS params (N°1260) + $sTlsEnabledChecked = $bTlsEnabled ? ' checked' : ''; + $sTlsCaDisabled = $bTlsEnabled ? '' : ' disabled'; $oPage->add(''); - $oPage->add(''); - $oPage->add('Before configuring MySQL with TLS encryption, read the documentation on Combodo\'s Wiki'); - $oPage->add('SSL Key:'); - $oPage->add(''); - $oPage->add('Path to client key file for SSL'); - $oPage->add('SSL CERT:'); - $oPage->add(''); - $oPage->add('Path to client certificate file for SSL'); + $oPage->add(''); + $oPage->add('Before configuring MySQL with TLS encryption, read the documentation on Combodo\'s Wiki'); + $oPage->add(''); $oPage->add('SSL CA:'); $oPage->add(''); + ENT_QUOTES, 'UTF-8').'" size="15"'.$sTlsCaDisabled.'>'); $oPage->add('Path to certificate authority file for SSL'); - $oPage->add('SSL CA path:'); - $oPage->add(''); - $oPage->add(''); - $oPage->add('SSL cypher:'); - $oPage->add(''); - $oPage->add('Optional : separated list of permissible cyphers to use for SSL encryption'); $oPage->add(''); $oPage->add(''); @@ -981,7 +962,6 @@ function updateTlsImage() { } EOF ); - $bTlsEnabled = CMDBSource::IsDbConnectionUsingTls($sTlsKey, $sTlsCert, $sTlsCA); if (!$bTlsEnabled) { $oPage->add_ready_script('toggleTlsOptions();'); @@ -991,6 +971,10 @@ EOF $("tbody#tls_options>tr>th>label").click(function() { toggleTlsOptions(); }); +$("#db_tls_enabled").click(function() { + var bTlsEnabled = $("#db_tls_enabled").is(":checked"); + $("#db_tls_ca").prop("disabled", !bTlsEnabled); +}); updateTlsImage(); EOF ); @@ -1019,11 +1003,8 @@ function DoCheckDBConnection() 'db_user': $("#db_user").val(), 'db_pwd': $("#db_pwd").val(), 'db_name': $("#db_name").val(), - 'db_tls_key': $("input#db_tls_key").val(), - 'db_tls_cert': $("input#db_tls_cert").val(), + 'db_tls_enabled': $("input#db_tls_enabled").val(), 'db_tls_ca': $("input#db_tls_ca").val(), - 'db_tls_capath': $("input#db_tls_capath").val(), - 'db_tls_cypher': $("input#db_tls_cypher").val() } if ((oXHRCheckDB != null) && (oXHRCheckDB != undefined)) { @@ -1111,7 +1092,7 @@ EOF <<td>input", function() { CheckDBConnection(); }); +$("table#table_db_options").on("keyup change", "tr>td input", function() { CheckDBConnection(); }); $("#db_new_name").on("click keyup change", function() { $("#create_db").attr("checked", "checked"); WizardUpdateButtons(); }); $("#db_name").on("click keyup change", function() { $("#existing_db").attr("checked", "checked"); WizardUpdateButtons(); }); @@ -1130,33 +1111,21 @@ EOF * @param string $sDBServer * @param string $sDBUser * @param string $sDBPwd - * @param string $sTlsKey - * @param string $sTlsCert + * @param bool $bTlsEnabled * @param string $sTlsCA - * @param string $sTlsCaPath - * @param string $sTlsCipher * * @return bool|array false if the connection failed or array('checks' => Array of CheckResult, 'databases' => * Array of database names (as strings) or null if not allowed) */ static function CheckDbServer( - $sDBServer, $sDBUser, $sDBPwd, $sTlsKey = null, $sTlsCert = null, $sTlsCA = null, $sTlsCaPath = null, - $sTlsCipher = null + $sDBServer, $sDBUser, $sDBPwd, $bTlsEnabled = false, $sTlsCA = null ) { $aResult = array('checks' => array(), 'databases' => null); - if (CMDBSource::IsDbConnectionUsingTls($sTlsKey, $sTlsCert, $sTlsCA)) + if ($bTlsEnabled) { - if (!self::CheckFileExists($sTlsKey, $aResult, 'Can\'t open SSL Key file')) - { - return $aResult; - } - if (!self::CheckFileExists($sTlsCert, $aResult, 'Can\'t open SSL Cert file')) - { - return $aResult; - } - if (!self::CheckFileExists($sTlsCA, $aResult, 'Can\'t open SSL CA file')) + if (!empty($sTlsCA) && !self::CheckFileExists($sTlsCA, $aResult, 'Can\'t open SSL CA file')) { return $aResult; } @@ -1165,48 +1134,50 @@ EOF try { $oDBSource = new CMDBSource; - $oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $sTlsKey, $sTlsCert, $sTlsCA, $sTlsCaPath, $sTlsCipher, - false); + $oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $bTlsEnabled, $sTlsCA, false); $aResult['checks'][] = new CheckResult(CheckResult::INFO, "Connection to '$sDBServer' as '$sDBUser' successful."); $aResult['checks'][] = new CheckResult(CheckResult::INFO, "Info - User privileges: ".($oDBSource->GetRawPrivileges())); $bHasDbVersionRequired = self::CheckDbServerVersion($aResult, $oDBSource); - if ($bHasDbVersionRequired) + if (!$bHasDbVersionRequired) { - // Check some server variables - $iMaxAllowedPacket = $oDBSource->GetServerVariable('max_allowed_packet'); - $iMaxUploadSize = utils::ConvertToBytes(ini_get('upload_max_filesize')); - if ($iMaxAllowedPacket >= (500 + $iMaxUploadSize)) // Allow some space for the query + the file to upload - { - $aResult['checks'][] = new CheckResult(CheckResult::INFO, "MySQL server's max_allowed_packet ($iMaxAllowedPacket) is big enough compared to upload_max_filesize ($iMaxUploadSize)."); - } - else if($iMaxAllowedPacket < $iMaxUploadSize) - { - $aResult['checks'][] = new CheckResult(CheckResult::WARNING, "MySQL server's max_allowed_packet ($iMaxAllowedPacket) is not big enough. Please, consider setting it to at least ".(500 + $iMaxUploadSize)."."); - } + return $aResult; + } - $iMaxConnections = $oDBSource->GetServerVariable('max_connections'); - if ($iMaxConnections < 5) - { - $aResult['checks'][] = new CheckResult(CheckResult::WARNING, "MySQL server's max_connections ($iMaxConnections) is not enough. Please, consider setting it to at least 5."); - } - else - { - $aResult['checks'][] = new CheckResult(CheckResult::INFO, "MySQL server's max_connections is set to $iMaxConnections."); - } + // Check some server variables + $iMaxAllowedPacket = $oDBSource->GetServerVariable('max_allowed_packet'); + $iMaxUploadSize = utils::ConvertToBytes(ini_get('upload_max_filesize')); + if ($iMaxAllowedPacket >= (500 + $iMaxUploadSize)) // Allow some space for the query + the file to upload + { + $aResult['checks'][] = new CheckResult(CheckResult::INFO, "MySQL server's max_allowed_packet ($iMaxAllowedPacket) is big enough compared to upload_max_filesize ($iMaxUploadSize)."); + } + else if($iMaxAllowedPacket < $iMaxUploadSize) + { + $aResult['checks'][] = new CheckResult(CheckResult::WARNING, "MySQL server's max_allowed_packet ($iMaxAllowedPacket) is not big enough. Please, consider setting it to at least ".(500 + $iMaxUploadSize)."."); + } - $iInnodbLargePrefix = $oDBSource->GetServerVariable('innodb_large_prefix'); - $bInnodbLargePrefix = ($iInnodbLargePrefix == 1); - if (!$bInnodbLargePrefix) - { - $aResult['checks'][] = new CheckResult(CheckResult::ERROR, - "MySQL variable innodb_large_prefix is set to false, but must be set to true ! Otherwise this will limit indexes size and cause issues (iTop charset is utf8mb4)."); - } - else - { - $aResult['checks'][] = new CheckResult(CheckResult::INFO, - "MySQL innodb_large_prefix is active, so the iTop charset utf8mb4 can be used."); - } + $iMaxConnections = $oDBSource->GetServerVariable('max_connections'); + if ($iMaxConnections < 5) + { + $aResult['checks'][] = new CheckResult(CheckResult::WARNING, "MySQL server's max_connections ($iMaxConnections) is not enough. Please, consider setting it to at least 5."); + } + else + { + $aResult['checks'][] = new CheckResult(CheckResult::INFO, "MySQL server's max_connections is set to $iMaxConnections."); + } + + // innodb_large_prefix : since 2.5 #1001 utf8mb4 switch + $iInnodbLargePrefix = $oDBSource->GetServerVariable('innodb_large_prefix'); + $bInnodbLargePrefix = ($iInnodbLargePrefix == 1); + if (!$bInnodbLargePrefix) + { + $aResult['checks'][] = new CheckResult(CheckResult::ERROR, + "MySQL variable innodb_large_prefix is set to false, but must be set to true ! Otherwise this will limit indexes size and cause issues (iTop charset is utf8mb4)."); + } + else + { + $aResult['checks'][] = new CheckResult(CheckResult::INFO, + "MySQL innodb_large_prefix is active, so the iTop charset utf8mb4 can be used."); } try @@ -1290,23 +1261,18 @@ EOF * @param string $sDBServer * @param string $sDBUser * @param string $sDBPwd - * @param string $sTlsKey - * @param string $sTlsCert + * @param bool $bTlsEnabled * @param string $sTlsCa - * @param string $sTlsCapath - * - * @param string $sTlsCipher * * @return string * @throws \MySQLException */ static public function GetMySQLVersion( - $sDBServer, $sDBUser, $sDBPwd, $sTlsKey = null, $sTlsCert = null, $sTlsCa = null, $sTlsCapath = null, - $sTlsCipher = null + $sDBServer, $sDBUser, $sDBPwd, $bTlsEnabled = false, $sTlsCa = null ) { $oDBSource = new CMDBSource; - $oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $sTlsKey, $sTlsCert, $sTlsCa, $sTlsCapath, $sTlsCipher); + $oDBSource->Init($sDBServer, $sDBUser, $sDBPwd, '', $bTlsEnabled, $sTlsCa, false); $sDBVersion = $oDBSource->GetDBVersion(); return $sDBVersion; } @@ -1317,16 +1283,12 @@ EOF $sDBUser = $aParameters['db_user']; $sDBPwd = $aParameters['db_pwd']; $sDBName = $aParameters['db_name']; - $sTlsKey = (isset($aParameters['db_tls_key'])) ? $aParameters['db_tls_key'] : null; - $sTlsCert = isset($aParameters['db_tls_cert']) ? $aParameters['db_tls_cert'] : null; + $sTlsEnabled = (isset($aParameters['db_tls_enabled'])) ? $aParameters['db_tls_enabled'] : null; $sTlsCA = (isset($aParameters['db_tls_ca'])) ? $aParameters['db_tls_ca'] : null; - $sTlsCaPath = (isset($aParameters['db_tls_capath'])) ? $aParameters['db_tls_capath'] : null; - $sTlsCipher = (isset($aParameters['db_tls_cipher'])) ? $aParameters['db_tls_cipher'] : null; $oPage->add_ready_script('oXHRCheckDB = null;'); - $checks = SetupUtils::CheckDbServer($sDBServer, $sDBUser, $sDBPwd, $sTlsKey, $sTlsCert, $sTlsCA, $sTlsCaPath, - $sTlsCipher); + $checks = SetupUtils::CheckDbServer($sDBServer, $sDBUser, $sDBPwd, $sTlsEnabled, $sTlsCA); if ($checks === false) { @@ -1469,11 +1431,8 @@ EOF 'db_pwd' => $oWizard->GetParameter('db_pwd', ''), 'db_name' => $oWizard->GetParameter('db_name', ''), 'db_prefix' => $oWizard->GetParameter('db_prefix', ''), - 'db_tls_key' => $oWizard->GetParameter('db_tls_key', ''), - 'db_tls_cert' => $oWizard->GetParameter('db_tls_cert', ''), + 'db_tls_enabled' => $oWizard->GetParameter('db_tls_enabled', false), 'db_tls_ca' => $oWizard->GetParameter('db_tls_ca', ''), - 'db_tls_capath' => $oWizard->GetParameter('db_tls_capath', ''), - 'db_tls_cipher' => $oWizard->GetParameter('db_tls_cipher', ''), 'source_dir' => $sRelativeSourceDir, ); $oConfig->UpdateFromParams($aParamValues, null); @@ -1524,11 +1483,8 @@ EOF 'db_pwd' => $oWizard->GetParameter('db_pwd', ''), 'db_name' => $oWizard->GetParameter('db_name', ''), 'db_prefix' => $oWizard->GetParameter('db_prefix', ''), - 'db_tls_key' => $oWizard->GetParameter('db_tls_key', ''), - 'db_tls_cert' => $oWizard->GetParameter('db_tls_cert', ''), + 'db_tls_enabled' => $oWizard->GetParameter('db_tls_enabled', false), 'db_tls_ca' => $oWizard->GetParameter('db_tls_ca', ''), - 'db_tls_capath' => $oWizard->GetParameter('db_tls_capath', ''), - 'db_tls_cipher' => $oWizard->GetParameter('db_tls_cipher', ''), 'source_dir' => '', ); $oConfig->UpdateFromParams($aParamValues, null); diff --git a/setup/wizardsteps.class.inc.php b/setup/wizardsteps.class.inc.php index 38cd9cdb8..81f2b1da4 100644 --- a/setup/wizardsteps.class.inc.php +++ b/setup/wizardsteps.class.inc.php @@ -177,11 +177,8 @@ class WizStepInstallOrUpgrade extends WizardStep $this->oWizard->SaveParameter('db_prefix', ''); $this->oWizard->SaveParameter('db_backup', false); $this->oWizard->SaveParameter('db_backup_path', ''); - $this->oWizard->SaveParameter('db_tls_key', ''); - $this->oWizard->SaveParameter('db_tls_cert', ''); + $this->oWizard->SaveParameter('db_tls_enabled', false); $this->oWizard->SaveParameter('db_tls_ca', ''); - $this->oWizard->SaveParameter('db_tls_capath', ''); - $this->oWizard->SaveParameter('db_tls_cipher', ''); if ($sInstallMode == 'install') { @@ -210,11 +207,8 @@ class WizStepInstallOrUpgrade extends WizardStep $sDBPrefix = $this->oWizard->GetParameter('db_prefix', ''); $bDBBackup = $this->oWizard->GetParameter('db_backup', false); $sDBBackupPath = $this->oWizard->GetParameter('db_backup_path', ''); - $sTlsKey = $this->oWizard->GetParameter('db_tls_key', ''); - $sTlsCert = $this->oWizard->GetParameter('db_tls_cert', ''); + $sTlsEnabled = $this->oWizard->GetParameter('db_tls_enabled', false); $sTlsCA = $this->oWizard->GetParameter('db_tls_ca', ''); - $sTlsCaPath = $this->oWizard->GetParameter('db_tls_capath', ''); - $sTlsCypher = $this->oWizard->GetParameter('db_tls_cipher', ''); $sPreviousVersionDir = ''; if ($sInstallMode == '') { @@ -229,11 +223,8 @@ class WizStepInstallOrUpgrade extends WizardStep $sDBPwd = $aPreviousInstance['db_pwd']; $sDBName = $aPreviousInstance['db_name']; $sDBPrefix = $aPreviousInstance['db_prefix']; - $sTlsKey = $aPreviousInstance['db_tls_key']; - $sTlsCert = $aPreviousInstance['db_tls_cert']; + $sTlsEnabled = $aPreviousInstance['db_tls_enabled']; $sTlsCA = $aPreviousInstance['db_tls_ca']; - $sTlsCaPath = $aPreviousInstance['db_tls_capath']; - $sTlsCypher = $aPreviousInstance['db_tls_cipher']; $this->oWizard->SaveParameter('graphviz_path', $aPreviousInstance['graphviz_path']); $sPreviousVersionDir = APPROOT; } @@ -259,8 +250,8 @@ class WizStepInstallOrUpgrade extends WizardStep $oPage->add(''); $oPage->add(''); - SetupUtils::DisplayDBParameters($oPage, false, $sDBServer, $sDBUser, $sDBPwd, $sDBName, $sDBPrefix, $sTlsKey, - $sTlsCert, $sTlsCA, $sTlsCaPath, $sTlsCypher, null); + SetupUtils::DisplayDBParameters($oPage, false, $sDBServer, $sDBUser, $sDBPwd, $sDBName, $sDBPrefix, + $sTlsEnabled, $sTlsCA, null); $aBackupChecks = SetupUtils::CheckBackupPrerequisites($sDBBackupPath); $bCanBackup = true; @@ -639,11 +630,9 @@ EOF $this->oWizard->GetParameter('db_server', ''), $this->oWizard->GetParameter('db_user', ''), $this->oWizard->GetParameter('db_pwd', ''), - $this->oWizard->GetParameter('db_tls_key', ''), - $this->oWizard->GetParameter('db_tls_cert', ''), + $this->oWizard->GetParameter('db_tls_enabled', ''), $this->oWizard->GetParameter('db_tls_ca', ''), - $this->oWizard->GetParameter('db_tls_capath', ''), - $this->oWizard->GetParameter('db_tls_cypher', '') + false ); if ($oMutex->IsLocked()) { @@ -777,11 +766,8 @@ class WizStepDBParams extends WizardStep $this->oWizard->SaveParameter('new_db_name', ''); $this->oWizard->SaveParameter('create_db', ''); $this->oWizard->SaveParameter('db_new_name', ''); - $this->oWizard->SaveParameter('db_tls_key', ''); - $this->oWizard->SaveParameter('db_tls_cert', ''); + $this->oWizard->SaveParameter('db_tls_enabled', false); $this->oWizard->SaveParameter('db_tls_ca', ''); - $this->oWizard->SaveParameter('db_tls_capath', ''); - $this->oWizard->SaveParameter('db_tls_cipher', ''); return array('class' => 'WizStepAdminAccount', 'state' => ''); } @@ -794,16 +780,13 @@ class WizStepDBParams extends WizardStep $sDBPwd = $this->oWizard->GetParameter('db_pwd', ''); $sDBName = $this->oWizard->GetParameter('db_name', ''); $sDBPrefix = $this->oWizard->GetParameter('db_prefix', ''); - $sNewDBName = $this->oWizard->GetParameter('db_new_name', false); - $sTlsKey = $this->oWizard->GetParameter('db_tls_key', ''); - $sTlsCert = $this->oWizard->GetParameter('db_tls_cert', ''); + $sTlsEnabled = $this->oWizard->GetParameter('db_tls_enabled', ''); $sTlsCA = $this->oWizard->GetParameter('db_tls_ca', ''); - $sTlsCaPath = $this->oWizard->GetParameter('db_tls_capath', ''); - $sTlsCypher = $this->oWizard->GetParameter('db_tls_cipher', ''); + $sNewDBName = $this->oWizard->GetParameter('db_new_name', false); $oPage->add('
Location on the disk:
'); - SetupUtils::DisplayDBParameters($oPage, true, $sDBServer, $sDBUser, $sDBPwd, $sDBName, $sDBPrefix, $sTlsKey, - $sTlsCert, $sTlsCA, $sTlsCaPath, $sTlsCypher, $sNewDBName); + SetupUtils::DisplayDBParameters($oPage, true, $sDBServer, $sDBUser, $sDBPwd, $sDBName, $sDBPrefix, $sTlsEnabled, + $sTlsCA, $sNewDBName); $oPage->add('
'); $sCreateDB = $this->oWizard->GetParameter('create_db', 'yes'); if ($sCreateDB == 'no') @@ -2343,11 +2326,8 @@ EOF 'user' => $this->oWizard->GetParameter('db_user'), 'pwd' => $this->oWizard->GetParameter('db_pwd'), 'name' => $sDBName, - 'db_tls_key' => $this->oWizard->GetParameter('db_tls_key'), - 'db_tls_cert' => $this->oWizard->GetParameter('db_tls_cert'), + 'db_tls_enabled' => $this->oWizard->GetParameter('db_tls_enabled'), 'db_tls_ca' => $this->oWizard->GetParameter('db_tls_ca'), - 'db_tls_capath' => $this->oWizard->GetParameter('db_tls_capath'), - 'db_tls_cipher' => $this->oWizard->GetParameter('db_tls_cipher'), 'prefix' => $this->oWizard->GetParameter('db_prefix'), ), 'url' => $this->oWizard->GetParameter('application_url'), @@ -2552,11 +2532,9 @@ class WizStepDone extends WizardStep $this->oWizard->GetParameter('db_server'), $this->oWizard->GetParameter('db_user'), $this->oWizard->GetParameter('db_pwd'), - $this->oWizard->GetParameter('db_tls_key'), - $this->oWizard->GetParameter('db_tls_cert'), - $this->oWizard->GetParameter('db_tls_ca'), - $this->oWizard->GetParameter('db_tls_capath'), - $this->oWizard->GetParameter('db_tls_cipher')); + $this->oWizard->GetParameter('db_tls_enabled'), + $this->oWizard->GetParameter('db_tls_ca') + ); $aParameters = json_decode($this->oWizard->GetParameter('selected_components', '{}'), true); $sCompactWizChoices = array(); foreach($aParameters as $iStep => $aChoices) diff --git a/test/setup/DBBackupTest.php b/test/setup/DBBackupTest.php index 9f32b6173..236d59b44 100644 --- a/test/setup/DBBackupTest.php +++ b/test/setup/DBBackupTest.php @@ -18,19 +18,18 @@ class DBBackupTest extends ItopTestCase public function testGetMysqlCliTlsOptions() { $oConfig = new Config(); - $oConfig->Set('db_tls.key', 'key'); - $oConfig->Set('db_tls.cert', 'cert'); + $oConfig->Set('db_tls.enabled', false); $sCliArgsNoTls = \DBBackup::GetMysqlCliTlsOptions($oConfig); $this->assertEmpty($sCliArgsNoTls); - $oConfig->Set('db_tls.ca', 'ca'); + $oConfig->Set('db_tls.enabled', true); $sCliArgsMinCfg = \DBBackup::GetMysqlCliTlsOptions($oConfig); - $this->assertEquals(' --ssl --ssl-key="key" --ssl-cert="cert" --ssl-ca="ca"', $sCliArgsMinCfg); + $this->assertEquals(' --ssl', $sCliArgsMinCfg); - $oConfig->Set('db_tls.capath', 'capath'); + $sTestCa = 'my_test_ca'; + $oConfig->Set('db_tls.ca', $sTestCa); $sCliArgsCapathCfg = \DBBackup::GetMysqlCliTlsOptions($oConfig); - $this->assertEquals(' --ssl --ssl-key="key" --ssl-cert="cert" --ssl-ca="ca" --ssl-capath="capath"', - $sCliArgsCapathCfg); + $this->assertEquals(' --ssl --ssl-ca="'.$sTestCa.'"', $sCliArgsCapathCfg); } }